Posted
by
CmdrTacoon Tuesday April 06, 2010 @11:52AM
from the this-will-end-badly dept.

bl8n8r writes "More woes for Adobe as a security firm creates a proof-of-concept attack that injects malicious code as part of the update process. The user only needs to click a dialog box to execute the code and no JavaScript is needed to launch the exploit. The exploit affects Foxit as well as Adobe Acrobat software. This exploit is made possible through the host software allowing execution of system binaries. Not clear if it's multi-platform, but seems plausible."

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf/". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system. Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

It also doesn't help at all that most Linux users (especially those who are told so by the geeks!) believe that Linux cannot get malware. In my opinion this is a really stupid thing to do from those promoting Linux or Mac OS X as it will just lead to false sense of security.

Runs with the same privileges as the parent program. So it can kill my home folder, not "rm -rf/" And like every other security hole found so far it will be written out. Considering they all get written out the fair comparison would be comparing number and severity of vulnerabilities by platform. If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

If it can't boot after a vulnerability is exploited or you can't remove it within 30 minutes then have it count doubly so.

The days when malwares purpose to trash the system to an unbootable state have been over for 15 years. Now a days you don't really even notice them being on your machine unless its one of those which show fake virus alerts. How would you notice if it just starts sending spam or sniffing your passwords?

Another point is that you can fairly easily hide in a Linux system. If you absolutely need root access, there have been serious privilege escalation exploits over the years. Most of the Linux systems aren't even necessarily being patched consistently. I've seen one of these privilege exploits used on many hosting companies that usually keep their systems up to date and secure too. That beside the point that it's not usual that you even need root access.

Linux is a lot different than running as root all the time on Windows. My security updates are pushed to me as they are fixed, not even pushing up to a month of vulnerability to patch unlike some systems meant to make corporate IT admins happy. All popular Linux distributions have an updating function: you get your security patches and patches to everything else in your repositories a lot more consistently than Windows. To deny this shows unfamiliarity with Linux. Thats even before you get into functions like selinux and apparmor which happen to be standard on my flavor. For everyone. This is also an Adobe bug, and doesn't affect most Linux PDF readers as far as I'm aware and even if it did I'd have a lot more faith that the Linux ones would be rendered immune more globally than the hodgepodge of updating (or lack of) systems on Windows. You're pointing the finger at Linux and saying: "You're vulnerable too!" But in the practical real world it is a case of not.

It's not an Adobe bug, it's a feature in the PDF specs that can be exploited with user stupidity. That's the point I've been trying to made, no OS unless it's completely locked down a la iPhone will protect you from user stupidity. Not Windows, not Linux, not BSD.

Maybe Ubuntu pushes updates itself, but Debian, Fedora and CentOS doesn't. Not for me at least, and I haven't changed anything regarding that. If you want to update, you need to type in the yum update or apt-get update commands manually. And thats

KPDF (now Okular) [kde.org] has specifically forbidden this behavior forever because it is a security risk. I use Okular myself so I am not vulnerable to this issue. Since it has been known so long to be a security issue in Linux-land why has Adobe allowed it so long? XPDF also is not vulnerable to this issue and so on. So it appears to be a tempest in a tea-cup for Linux and just another day on Windows.

This goes to show that it doesn't matter which the OS is, as it's mostly about software or user stupidity. Windows and Linux are on par in this, neither one is better than the another. There is SELinux for Linux which can mitigate the issue, but there are such tools and settings for Windows too. Not that any casual user will put up with those in either system.

To pretend that one OS is inherently superior in security over another also borders on incredulous. Anytime a specific OS is mentioned in a security discussion, that person has lost the discussion, and does not understand the entire concept of security. Security isn't software. Security isn't an operating system. Security is a set of practices and policies that apply to all software and operating systems regardless of what specific type they are.

I fully agree, and had I modpoints I'd simply add a +1 insightful to your score.Since I haven't, though, I'd like to point out that while it is true that you can't simply equate security with a piece of software, you *can* compare how well two teams of developers (try to) adhere to those practices and policies.

I have a feeling that Linus and the people who verify kernel patches have a better track record in that than the people at Microsoft who decide that a given feature WILL BE in the next release, regard

I never understood why people bothered with Acrobat Reader on Linux - KPDF/Okular has been smaller, faster and nicer looking for years, and it integrates better with the KDE desktop. I'd imagine the same it true of whatever Gnome uses?

So unless you can convince the non believers you are not going to get that feature, sorry:-/"

Good quote from the discussion. That's how (many) people view disabling features for security reasons. The developers get to be called "non believers". How do you tell these users how bad the feature they want is? And these are geeks posting bugs, and developers, not average Joes. The average Joe might even refuse to use the more secure

no OS unless it's completely locked down a la iPhone will protect you from user stupidity.

It's not alway user stupidity, just how the system is designed. Even a closed system like the iPhone [sophos.com] can be hacked by a third party without access to the computer itself. This exploit effected all smartphones, granted only iPhone's didn't get patched against it until 48 hours after the information about it went public.But it showed that it was possible, even given it's locked down nature.

I'll give you a real world example of how this functionality is used. We used Adobe standard to export email from our Lotus Notes email system so that any legal records can be imported into our content management system, these archives are a complete copy of the email records including metadata and attachments stored within a PDF file. Clicking on an attachment in the archive opens the system default viewer for that file type. Turning this feature off would significantly reduce the functionality and user fr

BTW if you either go to the Foxit site or even better run Filehippo update checker [filehippo.com] which will keep your Windows machine up to date with regards to 3rd party programs, you'll see that Foxit has already released a new version that fixes the bug.

So the TFA should probably read "affects previous versions of Foxit" as like Firefox Foxit is great about getting patches out there quickly when threats are found.

I keep hearing this repeated ad infintum. Since Win XP SP2, most software got adapted so it could run as Limited user. Even game developers got the message. The Sims 2 initially came out as "Admin only". That was patched within months when people complained.

Anyway, even for non-behaving software, it is usually a matter of setting User-Write-Permissions on the folder of the misbehaving application. If that doesn't help, set User-Write-Permission

Yes, I recommend that to all of my clients. Some software really wants access to program files, but thats fixed with cacls on the directory. Very few programs actually need admin, even quickbooks (whose tech support guys will insist it does). And for the programs that really really need it, theres always runas; you dont need your whole shell running with admin priveleges.

It is present in Adobe Reader, it has already been patched out of FoxIt and it never existed in XPDF.

If you will read the article on this from several days ago, you will see that there was a PDF released which runs calc on windows, xcal

Unless you're running software that hasn't been updated in the last 5 years, it'll work just fine. For vast majority of home users, this will be the case. For enterprises, they may have a legacy line-of-business application written in 90s that needs Administrator - however, if you use a modern Windows OS (i.e. Vista/7), you just configure that particular application to request elevation when started.

Linux build from 8 years ago? XP is still widely in use so it is fair to mention it, the average Linux build on a home computer (the target of this attack - servers have to need for Adobe Reader) are well newer than 8 years! I guess having Free updates to newer versions makes it a lot easier to stay current. His second response agreed with me. The third called me a fag. The fourth said it was a bug in the spec when every PDF viewer - except Reader - on Linux doesn't follow that part of the spec for sec

While I don't disagree with your other points, this statement is false. Nearly all widely-used XP software runs just fine under a user with limited rights, as this is how XP is run in any corporate environment.

Linux is a lot different than running as root all the time on Windows.

Let's say that there are no exploits to get root access on a Linux system. What can malware do with limited user account?

rm -rf/home/user - would work, but uselesssending spam - you don't need root access to send mail, do you?participating in a botnet - you don't need root access to open a port and give shell to whoever is connecting.searching user files for valuable information - would work

Usually you don't use those linux servers on hosting companies as desktops where you run acrobat reader. And desktops/notebooks/etc are usually more frequently updated (both as using new distributions or with patches available in the case you prefer to stick with a non latest version).

But anyway, you don't need root access to do most of what botnets/spambots do, with plain user access is bad enough. And targetted attacks could access most of what the user do without needing to go root neither.

Maybe you should actually, you know,...use Linux before you attempt to troll about security.

What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf/". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to. This of course being just one of the examples it could do. Remember that most malware doesn't even need root access to function.

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general. Although it's pretty devastating to issue a "rm -rf ~" to delete the user's home directory, it's on par with Windows. Then you say that most malware doesn't even need root access to function, but on all the millions of XP boxes out there, it's already given root access by default.

Another reason why it would be even more serious on Linux is the way you can pipe commands and how most systems come pre-packaged with a ton of little utility apps. You can create the whole malware with a series of commands, or wget a bash script from the internet and start that to hide even more malware in the system.

Windows has a pipe function too, in addition to being able to zoink your whole file system with a simple "del". It also comes with ftp and telnet, which are handy replacements for wget. In short telnet+response file = download an.exe from the web = any sort of functionality you might want using Unix command line tools.

No one is saying Linux is about as secure as XP, but the OP is saying that because of the spreading culture among many Linux users that there is no way they can get malware, this type of attack might easily fly under the radar. No need to compare to XP because we all know it's not a fair comparison!

Of course programs care what you think of them. (Or stepping away from gratuitous and confusing anthropomorphizing, the authors of such software care.)

Trojans and other automated social engineering depend on projecting trustworthiness; i.e., that the user thinks the software is both reliable and desirable. If user perceptions of software didn't matter, malware wouldn't try to trick users. They'd just say "click here to get pwned".

Until Chuck Norris manifests himself as malware, what users think of software

Nobody uses the root account in Linux for everyday activity. In Ubuntu, root login is even disabled by default (you have to sudo). So no worries about the system in general.

There is actually one way in which this can potentially be more harmful in Linux than in Windows, although GP missed that one (for all the invented stuff that he came up with). The problem is that sudo caches your credentials for a certain period of time (5 minutes by default, IIRC) after you use it for a given user account. So, if you use sudo to run something that needs it, and then exit that application, and then some malware does exec sudo shortly after, it will quietly get root.

Well said. Also don't forget that Evince, the default pdf viewer in Gnome and in Ubuntu, is immune to this exploit, as confirmed by several comments on Didier Stevens' original announcement [didierstevens.com].

So here we have another good reason not to use Acrobat Reader on Linux (or on anything else, for that matter), but also not to trust closed-source alternatives like FoxIt. Evince is fast, efficient, easy to use, has all the necessary features, nothing more, nothing less. And hey, there's even a Windows version!

even I don't always su out of root even if some command between what I'm doing doesn't require root

So how does this Adobe flaw get access to your root terminal to continue issuing commands? And if you are running your desktop session as root you are an idiot. Ubuntu doesn't even have root it has sudo and if you want to enable the root account ("sudo passwd root") you have to go out of your way to make your system insecure. The fact is that unlike Windows Linux programs are written to not require root.

I suspect it uses normal exec(), just like it works in every other program.

Almost any Windows program doesn't require root/admin now a days, and if they do, it's for a reason. You can't really compare to Windows 98 and the programs from that age. If we go that route, we might as well start digging the hundreds of privilege escalation and remote exploits that Linux in its history has had.

You also don't need to run the whole desktop as root. You can launch Firefox by typing "firefox" in terminal (either in te

The fact remains and is insoluble right now that Windows allows root access more easily than Linux. You have to go out of your way to be root on Linux, XP (a very common operating system still in use) gives you root as a matter of course. And you can compare XP and Linux because both are commonly used right now. Vista will elevate on a whim and I'm sure 7 would too, at least with Linux when something tries to elevate you wonder why where with Windows you'd be right the majority of the time just assuming

As already said, malware doesn't need to run as root or Administrator.

But then it comes to sudo prompt / UAC. How are you going to educate old granny not to enter root/admin password when OS asks for it unless there a valid need for it? Heck, I've playing and working with computers (C64, C128, Amiga, PC Windows/Linux/BSD, Sparc/Solaris etc. etc.) for 25 years now and even I can't always tell when UAC (yes, I'm using Vista currently) prompt is valid or not! Just yesterday some Java-piece-of-crap asked for ad

there is absolutely, positively, no one that "do[es] it for convenience" with any distro released in the last bloody decade that has any statistically relevant user base. Every little tool along the way would complain about you being root, nagging you until the easiest thing to do is to just log in as a regular user.

Since it's part of the PDF specs, it should work in Linux too. What's even worse than with Windows is that since 'rm' is just a normal binary the PDF can launch that, and if you run as root privileges, just issue a command like "rm -rf/".

In Windows, the PDF can launch cmd.exe, passing it the commands to execute as parameters (with/c), so nothing changes.

... if you run as root privileges, just issue a command like "rm -rf/". If you don't run as root, then for example Ubuntu should give you the sudo box to input password to.

Have you ever actually used Ubuntu?

No, you won't get a sudo box if you run "rm -rf/" on an account which doesn't have permission. You'll get "permission denied", exactly the same as if you'd try "rmdir/s C:\Windows" from non-admin in Windows.

There's no auto-elevation, neither in Windows nor in Unix. The program has to be explicitly coded to request the OS service (UAC or gksudo) to pop u

just curious, what version of PDF did this become default behavior? Sounds like it's time to roll PDF back a few versions. I can live without active PDF content and fillable forms that remember my previous text input.

Linux may be vulnerable too, if your running the Linux version of Adobe Reader which you would have to go out and get on your own. Every version of Linux I have tried has an open source PDF reader that isn't Adobe's. As for the Firefox exploit, FTA it states that the Firefox must be running the addon Foxit and I'm not sure how common that is.

Though I highly agree with you that Linux users shouldn't believe that Linux can't get malware. It's more unlikely of the 3 major OS's (Windows, OSX, Linux), but that d

Since most Linux systems dont even have the kind of application firewalls or antiviruses that Windows does, and because the Internet accessing is actually done via wget, they don't even get any kind of a "Give internet access to this application?" dialog.

These things slow your computer down and make using applications annoying. They exist on Windows because of the massive problem of malware on Windows. They do not exist on Linux because in general, malware on Linux is not a problem. You can speculate as to why, but that's the way it is. Where real problems exist with Linux, like rootkits, solutions exist (e.g. chkrootkit). If viruses and such get to be a problem, solutions will appear. At the moment virus scanners and outgoing firewall prompts are no

But SELinux is pain in the ass and generally disabled on every desktop oriented Linux distro like Ubuntu..

SELinux works fine in Redhat, at least to the extent that I've used it.

However, Ubuntu has Apparmor instead, and I believe they use it to wrap the PDF viewers by default. So even if this exploit works with some Linux PDF viewer it will probably not be allowed to execute arbitrary application files or modify arbitrary disk files on Ubuntu... making it far less effective.

The attack requires the user of the computer to allow the code to be executed by agreeing to it via a dialog box. However, the attacker could at least partially control the content of the dialog box that appears to prompt the user to launch the executable and thus use social engineering to entice the computer user to agree to execute the malware, said Conway.

Solution : stop accepting that documents should execute binaries in order to display properly.

I am not completely sure, as I don't use foxit, but if I remember correctly, the problem with the last exploit on foxit was that it executed the binary without a dialog box. Adobe reader asked user to confirm with a dialog box. In my opinion something like that is not a vulnerability, so adobe had nothing to patch.

As has alreay been pointed out, the worst this "exploit" can do is elevate to the same rights as the user. As anyone with a CS degree (or even any true IT experience) would know, these rights should be limited.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights. Sure, they are making solf half-hearted attempts now to change this. But they created an environment of 3rd party software relying on this full rights model... and it is biting us all on the butt.

Now, Microsoft has for DECADES pushed the paradigm of giving the user administrative rights.

Since you're apparently unaware of the fact, this paradigm was a de facto standard on all home desktop OSes in the 90s. MacOS was not any different, and even Unix-like OSes that were explicitly desktop-oriented used root by default (e.g. BeOS).

"As security firm"? Who does the article mean, Jeremy Conway of NitroSecurity, or Didier Stevens, working for Contraste Europe? Also, it would've been nice if the article linked to an article Jeremy wrote titled "Implications of Recent PDF/Launch Hacks", this article can be found here: http://siemblog.com/2010/04/implications-of-recent-pdf-launch-hacks/ [siemblog.com]

Would switching to a non-Adobe PDF viewer make you safer? I understand this exploit affects Foxit, but there are many other exploits and PDF viewers (MacOS X's Preview, Ghostview/GSView, CutePDF, Nitro, etc.).

Usually the headline says the exploits are in Acrobat; and given Adobe's much larger installed base, they are a much more likely target; but perhaps the exploits are really in PDFs (or JavaScript) in general.

As it’s apparently a standard PDF feature, giving it a shot to run whatever command line its author desires...

Yeah, it would affect anything that supported that feature.

Note that the clean pdf, after it is infected, pops up the window asking to run “firefox.exe sudosecure.net”. I’m not sure exactly how he did it, but note that there is a huge mass of text (judging from the scrollbar) above the “it’s okay, let me do this” message in the evil pdf. He’d have to s

>>>Reading a lone pdf once in a while isn't worth having a massive security flaw

If only that were true. I encounter a PDF at least once a day. Just an hour ago I was reading a PDF about my college homecoming. If it had been possible to get the information some other way, I would have, but they only provided the giant poster in PDF form. - And earlier this morning I encountered a PDF while looking for Lubuntu (lean ubuntu) information.

Why? Just disable the PDF reader plugin, and download & open the files you actually need and trust. Or just install NoScript, which will disable *all* plugin until you explicitly click the frame to activate them.

My car has a hole in its roof called a "sunroof", but I can close it with the touch of a button. If it rains in, that's my fault, not the car manufacturer. But a Windows sunroof won't close, and that's Windows' fault.

Being a multi-billion dollar company whose OS is installed on almost every computer sold, Microsoft has the wherewithall to create a secure, backwards compatible OS. The thing is, they don't have to because their OS is installed on almost every computer sold. There's no incentive for them to d

Between the format wars (.doc,.docx, open office.doc,.odt, etc) and between the HTML / Browser standards (ie6, ie7, ie8, firefox, safari, opera, etc), PDF seems to be the only consistent way to view things across all OS's. Sadly, it's very useful for that reason...

There's always txt files. They might be ugly and no bells/whistles, but AFAIK, nobody's ever gotten infected by one.